feat: Add support for `organization` to custom token exchange #885

pmathew92 · 2025-12-09T10:49:22Z

Changes

This PR adds support for organization support in customTokenExchange in the AuthenticationAPIClient class

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. Since this library has unit testing, tests should be added for new functionality and existing tests should complete without errors.

This change adds unit test coverage
This change adds integration test coverage
This change has been tested on the latest version of the platform/language or why not

Checklist

I have read the Auth0 general contribution guidelines
I have read the Auth0 Code of Conduct
All existing and new tests complete without errors

Copilot

Pull request overview

This PR adds support for an optional organization parameter to the customTokenExchange() method in the AuthenticationAPIClient class. It also introduces a new validation framework with a RequestValidator interface and implements client-side validation for custom token exchange to reject reserved namespaces and validate HTTP/HTTPS URIs.

Key changes:

Added optional organization parameter to customTokenExchange() method with default value of null
Implemented RequestValidator interface for pre-request validation
Created CustomTokenExchangeValidator to validate subject token types (rejects reserved namespaces, validates HTTP/HTTPS URIs)
Added validator support to Request, AuthenticationRequest, and their implementations

Reviewed changes

Copilot reviewed 11 out of 11 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt	Added organization parameter to customTokenExchange method and integrated validator; expanded wildcard imports to explicit imports
auth0/src/main/java/com/auth0/android/request/internal/validator/CustomTokenExchangeValidator.kt	New validator class to validate subject_token_type parameter, rejecting reserved namespaces and validating HTTP/HTTPS URIs
auth0/src/main/java/com/auth0/android/request/RequestValidator.kt	New interface defining the validator contract for pre-request validation
auth0/src/main/java/com/auth0/android/request/Request.kt	Added addValidator() method with default no-op implementation
auth0/src/main/java/com/auth0/android/request/AuthenticationRequest.kt	Added addValidator() method override; removed unused Callback import
auth0/src/main/java/com/auth0/android/request/internal/BaseRequest.kt	Implemented validator storage and execution before request execution
auth0/src/main/java/com/auth0/android/request/internal/BaseAuthenticationRequest.kt	Implemented addValidator() to delegate to underlying request; expanded wildcard imports
auth0/src/main/java/com/auth0/android/request/SignUpRequest.kt	Implemented addValidator() to delegate to authentication request
auth0/src/test/java/com/auth0/android/authentication/AuthenticationAPIClientTest.kt	Added comprehensive tests for organization parameter and validator behavior; includes tests for reserved namespaces and invalid URIs; fixed formatting issues
auth0/src/test/java/com/auth0/android/authentication/request/RequestMock.java	Added addValidator() no-op implementation to test mock
auth0/src/test/java/com/auth0/android/authentication/request/AuthenticationRequestMock.java	Added addValidator() no-op implementation to test mock

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

...0/src/main/java/com/auth0/android/request/internal/validator/CustomTokenExchangeValidator.kt

sanchitmehta94

LGTM

NandanPrabhu · 2025-12-10T03:00:34Z

@claude

github-actions · 2025-12-10T03:00:56Z

Claude finished @NandanPrabhu's task —— View job

Code Review Complete

Overall Assessment

❌ This pull request requires changes before it can be merged. While the feature implementation is solid and well-tested, there are several issues that need to be addressed: a critical type safety vulnerability in the validator that could cause runtime crashes, incomplete validation logic for reserved namespace URLs, and minor code style inconsistencies with the existing codebase patterns.

NandanPrabhu · 2025-12-10T03:02:35Z

@pmathew92 do we still need to add the client side validation? I am assuming it we dont have as confirmed in the CTE channel. profile api alrready does validation for reserve keyword

...0/src/main/java/com/auth0/android/request/internal/validator/CustomTokenExchangeValidator.kt

auth0/src/main/java/com/auth0/android/authentication/AuthenticationAPIClient.kt

pmathew92 added 3 commits December 9, 2025 12:30

feat: Added support for organisation in CTE

0ea3a10

Added URI validation for subject_token_type in CTE

3bf591b

Updated the test cases for CTE

e990a6d

pmathew92 marked this pull request as ready for review December 9, 2025 10:49

pmathew92 requested a review from a team as a code owner December 9, 2025 10:49

pmathew92 requested a review from Copilot December 9, 2025 11:15

Copilot started reviewing on behalf of pmathew92 December 9, 2025 11:16 View session

Copilot AI reviewed Dec 9, 2025

View reviewed changes

Minor changes as per the feedback

c3be416

sanchitmehta94 reviewed Dec 9, 2025

View reviewed changes